Vulnerabilities we've disclosed
GitHub Security Lab researchers find vulnerabilities in key, widely-used open source projects. We then coordinate the disclosure of those vulnerabilities to security teams at those projects. We only publish vulnerabilities here after they’ve been announced by the affected projects' development teams and patches are available. See our disclosure policy below for more information.
GHSL-2024-027_GHSL-2024-028: API abuse in codeium-chrome - CVE-2024-28120
The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server.
Kevin StubbingsGHSL-2023-221: Path traversal vulnerability in digdag - CVE-2024-25125
Treasure Data's digdag workload automation system was susceptible to a path traversal vulnerability if it's configured to store log files locally.
Peter StöckliGHSL-2023-121: SAML authentication bypass vulnerability in RobotsAndPencils/go-saml - CVE-2023-48703
A SAML authentication bypass vulnerability was found in the RobotsAndPencils/go-saml library. This issue may lead to authentication bypasses in applications using go-saml for the signature verification of SAML assertions.
Peter StöckliGHSL-2023-200: SQL injection vulnerability in FarmBot’s web app - CVE-2023-45674
A SQL injection vulnerability was found in FarmBot’s web app that allowed authenticated attackers to extract arbitrary data from its database (including the user table).
Peter StöckliGHSL-2023-140:SQL injection vulnerability in TaxonWorks - CVE-2023-43640
A SQL injection vulnerability was found in TaxonWorks that allowed authenticated attackers to extract arbitrary data from the TaxonWorks database (including the user table).
Peter StöckliGHSL-2023-258_GHSL-2023-259: Reflected XSS vulnerability and CORS issue in tamagui
A reflected XSS vulnerability and a CORS issue are present on the tamagui website, tamagui.dev. These vulnerabilities may allow an attacker to leak the cookies of users, and thus impersonate users on the website.
Kevin StubbingsGHSL-2023-186_GHSL-2023-189: Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) in whoogle-search - CVE-2024-22203, CVE-2024-22204, CVE-2024-22205, CVE-2024-22417
Whoogle-search is vulnerable to Server-Side Request Forgery (SSRFs), Cross-Site Scripting (XSS) and a limited file write vulnerability.
Sylwia BudzynskaGHSL-2023-275: Arbitrary command execution in verify-changed-files
The tj-actions/verify-changed-files workflow allows for command injection in changed filenames, potentially allowing an attacker to leak secrets.
Jorge RosilloGHSL-2023-271: Arbitrary command execution in changed-files
The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.
GitHub Security LabGHSL-2023-268_GHSL-2023-270: Arbitrary command execution and SQL injection in Nginx-UI
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings, and is also vulnerable to SQL injection.
Jorge RosilloGHSL-2023-260: Remote command execution (RCE) in Intel Analytics’ BigDL-LLM
Intel Analytics' BigDL-LLM is a library for running LLM (large language model) on Intel XPU (from Laptop to GPU to Cloud). The finetune server exposes an endpoint allowing attackers to potentially execute malicious commands on developer machines.
Jorge RosilloGHSL-2023-266_GHSL-2023-267: Blind server-side request forgery (SSRF) vulnerabilities in Audiobookshelf - CVE-2023-51665, CVE-2023-51697
Audiobookshelf is vulnerable to blind server-side request forgery (SSRF) vulnerabilities.
Sylwia BudzynskaGHSL-2023-262: Server-side request forgery (SSRF) vulnerability in Dtale 3.8.1 - CVE-2024-21642
Dtale 3.8.1 is vulnerable to server-side request forgery (SSRF) vulnerability.
Sylwia BudzynskaGHSL-2023-208: Unsafe deserialization in MkDocs
MkDocs is vulnerable to an unsafe deserialization when parsing configuration files.
Jorge RosilloGHSL-2023-201_GHSL-2023-202: Blind server-side request forgery (SSRF) in Medusa - CVE-2023-50258, CVE-2023-50259
Medusa contains two unauthenticated blind server-side request forgery (SSRF) vulnerabilities.
Sylwia BudzynskaGHSL-2023-182_GHSL-2023-184: Server-side request forgery (SSRF), arbitrary file write and limited file write vulnerabilities in mindsdb/mindsdb - CVE-2023-49795, CVE-2023-50731, CVE-2023-49796
Three vulnerabilities that can be exploited by unauthenticated users were found in MindsDB: a Server-side request forgery (SSRF) vulnerability, an arbitrary file write vulnerability and a limited file write vulnerability.
Sylwia BudzynskaGHSL-2023-192_GHSL-2023-194: Several vulnerabilities in bazarr - CVE-2023-50264, CVE-2023-50265, CVE-2023-50266
Bazarr is vulnerable to unauthenticated arbitrary file reads in two endpoints and a blind server-side request forgery (SSRF).
Sylwia BudzynskaGHSL-2023-218_GHSL-2023-219: Cross-Site Scripting (XSS) in scrypted
Two reflected Cross-Site Scripting (XSS) vulnerabilities exist in scrypted that may allow an attacker to impersonate any user who clicks on specially crafted links. In the worst case, an attacker may be able to impersonate an administrator and run arbitrary commands.
Kevin StubbingsGHSL-2023-203_GHSL-2023-204: Several vulnerabilities in audiobookshelf
Audiobookshelf is vulnerable to server-side request forgery (SSRF), arbitrary file read (AFR) and arbitrary file deletion (AFD) depending on the permissions of the user.
Kevin StubbingsGHSL-2023-028: Remote Code Execution in jellyfin - CVE-2023-48702
A user with administrator permissions is able to run arbitrary code on the jellyfin server via the /System/MediaEncoder/Path endpoint.
Kevin StubbingsGHSL-2023-190: Several vulnerabilities in Frigate - CVE-2023-45672, CVE-2023-45671, CVE-2023-45670
Unsafe deserialization, Reflected XSS, Cross-site request forgery, and Cross-site scripting vulnerabilities found in Frigate.
GitHub Security LabGHSL-2023-081_GHSL-2023-082: Tar Slip vulnerabilities in Autolab - CVE-2023-32676, CVE-2023-32317
Two Tar Slip vulnerabilities were found in Autolab. Those vulnerabilities could have allowed attackers to create or replace files on the file system that in the worst case could have been executed by the application or system itself.
Peter StöckliGHSL-2023-030: Session Forgery in Autolab - CVE-2023-28641
Autolab did not enforce a unique, secure secret_key_base for the default docker-based production setup. If no secret_key_base was set, Autolab fell back to a static secret_key_base that was the same for all instances. This could have enabled attackers to impersonate admin users via session forgery.
Peter StöckliGHSL-2022-100: Path traversal vulnerability and remote code execution (RCE) vulnerability in Autolab - CVE-2022-41955,CVE-2022-41956
Two vulnerabilities were found in Autolab: File disclosure due to path traversal (GHSL-2022-100) and Authenticated Remote Code Execution (GHSL-2022-124).
Peter StöckliGHSL-2023-185: Server-Side Request Forgery (SSRF) in Posthog - CVE-2023-46746
A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog.
Sylwia BudzynskaGHSL-2023-141: SQL injection in Nocodb - CVE-2023-43794
Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.
Sylwia BudzynskaGHSL-2023-180: Type confusion in Chrome's renderer - CVE-2023-4069
A type confusion in VisitFindNonDefaultConstructorOrConstruct can be exploited by an attacker to gain code execution in Chrome's renderer.
Man Yue MoGHSL-2023-145_GHSL-2023-151/GHSL-2023-165_GHSL-2023-172: Several memory access violations in stb_image and stb_vorbis
stb_image and stb_vorbis libraries contain several memory access violations of different severity.
Jaroslav LobacevskiGHSL-2023-197: Out-of-bounds array access in libcue- CVE-2023-43641
libcue is a library for parsing CUE sheet files. A malicious file can trigger an out-of-bounds array access in the track_set_index function.
Kevin BackhouseGHSL-2023-108: GitHub Actions command injection in Stash
Stash repository is vulnerable to an Actions command injection in e2e.yml.
Jorge RosilloGHSL-2023-052: Unsafe deserialization in XXL-RPC - CVE-2023-45146
Attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code.
GitHub Security LabGHSL-2023-191: Arbitrary File Read in ShokoServer - CVE-2023-43662
An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.
Kevin StubbingsGHSL-2023-100: Command Injection in a GitHub Actions workflow of Apache Ignite
The apache/ignite repository is vulnerable to a command injection in Actions, allowing an attacker to leak secrets.
Jorge RosilloGHSL-2023-137: Type confusion in Chrome - CVE-2023-3420
A type confusion caused by JSStackCheck can be exploited by an attacker to gain code execution in Chrome's renderer.
Man Yue MoGHSL-2023-053: Unsafe deserialization in Redisson - CVE-2023-42809
Redisson is a Java Redis client that uses the Netty framework. Some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in.
GitHub Security LabGHSL-2023-026: Cross-site scripting (XSS) in Common Voice - CVE-2023-42808
Common Voice is vulnerable to Cross-Site Scripting (XSS).
Jorge RosilloGHSL-2023-138: SAML token signature bypass in VMware Tools - CVE-2023-20900
A SAML authentication bypass vulnerability was found in the vgauth module of the VMware tools (open-vm-tools).
Peter StöckliGHSL-2023-114: SSRF vulnerability in the Bitbucket Push and Pull Request Jenkins Plugin - CVE-2023-41937
Bitbucket Push and Pull Request Plugin provides a webhook endpoint at /bitbucket-hook/ that can be used to trigger builds of jobs configured to use a specified repository.In Bitbucket Plugin 2.8.3 and earlier, when a build is triggered in this way, attackers can force a connection to an arbitrary URL using the configured Bitbucket credentials.
Alvaro MunozGHSL-2023-181: Expression injection in the GitHub Action workflow of Pytorch
The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Jorge RosilloGHSL-2023-084: Cross-site scripting (XSS) in Pay - CVE-2023-30614
Pay, a payments engine for Ruby on Rails, comes with a payment info page which is susceptible to Cross-site scripting.
Peter StöckliGHSL-2023-080: Unauthenticated data exfiltration in Decidim - CVE-2023-34090
Decidim, a platform for digital citizen participation, is vulnerable to non-public data exfiltration.
Peter StöckliGHSL-2023-006: Cross-site scripting (XSS) in Decidim leading to potential endorsement manipulation - CVE-2023-32693
Decidim, a platform for digital citizen participation is vulnerable to Cross-site scripting. An attacker could impersonate other users and endorse or support proposals on their behalf.
Peter StöckliGHSL-2023-093: Server-Side Request Forgery (SSRF) in jenkinsci/maven-artifact-choicelistprovider-plugin - CVE-2023-40347
Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/maven-artifact-choicelistprovider-plugin allow the leak of sensitive credentials to an attacker-controlled server.
Alvaro MunozGHSL-2023-067: Server-Side Request Forgery (SSRF) in jenkinsci/servicenow-devops-plugin - CVE-2023-3414, CVE-2023-3442
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/servicenow-devops-plugin allows the leak of sensitive credentials to an attacker-controlled server.
Alvaro MunozGHSL-2023-061: Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) in jenkinsci/blueocean-plugin - CVE-2023-40341
A CSRF/SSRF vulnerability in jenkinsci/blueocean-plugin allows the leak of sensitive credentials (including GitHub credentials) to an attacker-controlled server.
Alvaro MunozGHSL-2023-105: Buffer Overflow in uchardet
A crafted sequence of bytes triggers memory read past the bounds of a globally allocated object buffer.
Jaroslav LobacevskiGHSL-2023-112, GHSL-2023-102, GHSL-2023-103, GHSL-2023-092: Buffer Overflows in Notepad++ - CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
Multiple memory safety violations in Notepad++ opening a crafted file.
Jaroslav LobacevskiGHSL-2022-119: Arbitrary command execution in CasaOS - CVE-2023-37469
If an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands.
Kevin StubbingsGHSL-2023-086_GHSL-2023-087: Expression injection in a GitHub Actions workflow of Airbyte
Potential injection from the github.event.comment.body context, which may be controlled by an external user.
GitHub Security LabGHSL-2023-143_GHSL-2023-144: SAML signature validation bypass in OpenAM - CVE-2023-37471
Attackers can use an improper SAML signature validation to impersonate any OpenAM user, including the administrator.
GitHub Security LabGHSL-2023-117_GHSL-2023-119: Denial of Service (DoS) in cmark-gfm - CVE-2023-37463
A crafted markdown document can trigger denial-of-service attacks on websites that use cmark-gfm to render markdown documents.
Kevin BackhouseGHSL-2023-116: Denial of Service (DoS) in MySQL - CVE-2023-22057
A segfault can be triggered by switching session_track_gtids on and off and then either resetting the session or switching users, resulting in a loss of service.
GitHub Security LabGHSL-2023-109: GitHub Actions command injection in a TDesign Vue Next workflow
TDesign Vue Next repository is vulnerable to an Actions command injection in auto-release.yml.
Jorge RosilloGHSL-2023-079: Arbitrary File Exfiltration in Jenkins MathWorks Polyspace Plugin - CVE-2023-37960
Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to exfiltrate arbitrary files from the Jenkins controller by sending them in an email notification.
GitHub Security LabGHSL-2023-074: Server-Side Request Forgery (SSRF) in miniorange-saml-sp-plugin - CVE-2023-32991, CVE-2023-32992
A Server-Side Request Forgery (SSRF) vulnerability was found in the miniorange-saml-sp-plugin. The vulnerability resides in the org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro MunozGHSL-2023-073: Server-Side Request Forgery (SSRF) in benchmark-evaluator-plugin - CVE-2023-37962, CVE-2023-37963
A Server-Side Request Forgery (SSRF) vulnerability was found in the benchmark-evaluator-plugin. The vulnerability resides in the io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro MunozGHSL-2023-071: Server-Side Request Forgery (SSRF) in sumologic-publisher-plugin - CVE-2023-37958, CVE-2023-37959
A Server-Side Request Forgery (SSRF) vulnerability was found in the sumologic-publisher-plugin. The vulnerability resides in the com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro MunozGHSL-2023-069: Server-Side Request Forgery (SSRF) in jenkinsci/elasticbox-plugin - CVE-2023-37964, CVE-2023-37965
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/elasticbox-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the endpointUrl parameter in multiple web methods such as SlaveConfiguration$DescriptorImpl#doGetInstances. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.
Alvaro MunozGHSL-2023-068: Server-Side Request Forgery (SSRF) in jenkinsci/datadog-plugin - CVE-2023-37944
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/datadog-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the targetApiURL parameter in the DatadogGlobalConfiguration#doTestConnection. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.
Alvaro MunozGHSL-2023-066: Server-Side Request Forgery (SSRF) in jenkinsci/macstadium-orka-plugin - CVE-2023-37949
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/macstadium-orka-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the orkaEndpoint parameter in the OrkaAgent#doFillNodeItems. This method hardcodes an ACL.System access to the credentials storage and leak the secrets to attacker-controlled servers.
Alvaro MunozGHSL-2023-065: Server-Side Request Forgery (SSRF) in jenkinsci/mabl-integration-plugin - CVE-2023-37952, CVE-2023-37953
Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/mabl-integration-plugin allow the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the apiBaseUrl parameter in the MablStepBuilder#doFillEnvironmentIdItems, MablStepBuilder#doFillApplicationIdItem and MablStepBuilder#doValidateForm. These methods use the ACL.System permission to access the credentials storage and can be abused to leak arbitrary secrets to attacker-controlled servers.
Alvaro MunozGHSL-2023-064: Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) in jenkinsci/pipeline-restful-api-plugin - CVE-2023-37957
A Cross-Site Request Forgery (CSRF) and a Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/pipeline-restful-api-plugin may allow an attacker to retrieve a token to impersonate its victim.
Alvaro MunozGHSL-2023-063: Server-Side Request Forgery (SSRF) in test-results-aggregator-plugin - CVE-2023-37955, CVE-2023-37956
A Server-Side Request Forgery (SSRF) vulnerability was found in the test-results-aggregator-plugin. The vulnerability resides in the com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro MunozGHSL-2023-056: XML external entity (XXE) in Jenkins External Monitor Job Plugin - CVE-2023-37942
Jenkins External Monitor Job Plugin 203.v683c09d993b_9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows authenticated attackers with Job Build permissions to send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
GitHub Security LabGHSL-2023-120: Arbitrary File Read/Write during TAR extraction in Gradle
Gradle 8.1.1 does not ensure that paths constructed from TAR archive entries are validated. This allows attackers who are able to manipulate a TAR file which is unpacked by a Gradle script to overwrite arbitrary files. It also allows attackers who are able to manipulate a TAR file which is read by a Gradle script to read arbitrary files.
GitHub Security LabGHSL-2023-083: Improper certificate validation in KeyCloak - CVE-2023-2422
When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.
Michael StepankinGHSL-2023-044: Unsafe Deserialization in Aerospike Java client - CVE-2023-36480
The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.
GitHub Security LabGHSL-2023-139: Use After Free (UAF) in accountsservice - CVE-2023-3297
An unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.
Kevin BackhouseGHSL-2023-107: GitHub Actions Command Injection in Jellyfin
The jellyfin/jellyfin repository is vulnerable to a command injection in Actions, allowing an attacker to take over the GitHub Actions runner and leak secrets.
Jorge RosilloGHSL-2023-050: Command Injection in Apache Doris repository's CI workflow
Apache Doris repository is vulnerable to a Command Injection in the CI workflow auto_trigger_teamcity.yml.
Jorge RosilloGHSL-2023-045: LDAP injection in Bounty Castle For Java - CVE-2023-33201
Bouncy Castle For Java is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate’s Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Michael StepankinGHSL-2023-009: Credentials leaks for LDAP authentication in Apereo CAS - CVE-2023-28857
When CAS is configured to use X509 certificate authentication with LDAP directory, an unauthenticated user can leak the credentials for LDAP authentication. This is possible by sending a specially crafted X509 client certificate that contains a "CRL Distribution Points" extension with URLs pointing to a malicious resource.
Michael StepankinGHSL-2023-115: Cross-Site Scripting (XSS) in template-workflows-plugin - CVE-2023-35146
A stored Cross-Site Scripting (XSS) vulnerability was found in the template-workflows-plugin project.
Alvaro MunozGHSL-2023-110: Actions command injection in the CI workflow of winglang/wing
The winglang/wing repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge RosilloGHSL-2023-106: Actions command injection in a new issue workflow of textualize/rich
The textualize/rich repository is vulnerable to a command injection in Actions.
Jorge RosilloGHSL-2023-104: Actions command injection in the CI workflow of hashicorp/terraform-cdk
The hashicorp/terraform-cdk repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge RosilloGHSL-2023-101: Actions command injection in the CI workflow of zcash/zcash
The zcash/zcash repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge RosilloGHSL-2023-099: Actions command injection in the CI workflow of iluwatar/java-design-patterns
The iluwatar/java-design-patterns repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge RosilloGHSL-2023-097: Cross-Site Scripting (XSS) in maven-repository-plugin - CVE-2023-35143
A stored Cross-Site Scripting (XSS) vulnerability was found in the maven-repository-plugin project.
Alvaro MunozGHSL-2023-095: Cross-Site Scripting (XSS) in Jenkins Sonargraph - CVE-2023-35145
Multiple reflected Cross-Site Scripting (XSS) were found in the Jenkins Sonargraph integration plugin
Alvaro MunozGHSL-2023-070: Server-Side Request Forgery (SSRF) in jenkinsci/dimensionsscm-plugin - CVE-2023-32262
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/dimensionsscm-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the dimensionsscm.serverPlugin parameter in the DimensionsScm#doCheckServerConfig method and the ACL.System access to the credentials storage.
Alvaro MunozGHSL-2023-054: Unauthenticated arbitrary file read in Jenkins plugin 3.0.12 - CVE-2023-35147
AWS CodeCommit Trigger Jenkins Plugin 3.0.12 and earlier does not restrict a file name path parameter in an HTTP endpoint, allowing authenticated attackers to read arbitrary files on the Jenkins controller file system.
GitHub Security LabGHSL-2022-097: SQL injection in rudderlabs/rudder-server - CVE-2023-30625
Blind SQL injections are present in rudderlabs/rudder-server that allows unauthenticated users to achieve Remote Code Execution.
Kevin StubbingsGHSL-2023-025: Drive-by command injection in SRS's api-server - CVE-2023-34105
SRS's 'api-server' server is vulnerable to a drive-by command injection.
Alvaro MunozGHSL-2022-065: Insufficient Path Validation in Omni-Notes Android App - CVE-2023-33188
The Omni-Notes Android app has an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments are not properly validated, allowing malicious or compromised applications on the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they become accessible to any component with permission to read the external storage.
GitHub Security LabGHSL-2023-088: Arbitrary File Read in Ombi - CVE-2023-32322
Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.
Kevin StubbingsGHSL-2023-024: Drive-by command injection in Brook's tproxy server - CVE-2023-33965
Brook's tproxy server is vulnerable to a drive-by command injection.
Alvaro MunozGHSL-2023-022: Command Injection in an Apache Cloudstack CI workflow
Apache Cloudstack is vulnerable to a Command Injection in sonar-check.yml.
Jaroslav LobacevskiGHSL-2023-077: Arbitrary file write in the File Parameters Jenkins Plugin - CVE-2023-32986
Jenkins File Parameters Plugin 285.v757c5b_67a_c25 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to upload arbitrary files to the Jenkins controller.
GitHub Security LabGHSL-2023-076: Information disclosure in the Sidebar Link Plug-in for Jenkins - CVE-2023-32985
Sidebar Link Plug-in for Jenkins 2.2.1 and earlier does not restrict a file path parameter in an HTTP endpoint, allowing authenticated attackers to enumerate arbitrary files on the Jenkins controller file system.
GitHub Security LabGHSL-2023-075: Server-Side Request Forgery (SSRF) in the AppSpider Jenkins plugin - CVE-2023-32998, CVE-2023-32999
A Server-Side Request Forgery (SSRF) vulnerability was found in the AppSpider Jenkins plugin. An unauthenticated attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro MunozGHSL-2023-072: Several Server-Side Request Forgery (SSRF) vulnerabilities in the Codedx Jenkins plugin - CVE-2023-2195, CVE-2023-2631
Several Server-Side Request Forgery (SSRF) vulnerabilities were found in the Codedx Jenkins plugin. An unauthenticated attacker can leverage this vulnerabilities to send requests to arbitrary hosts.
Alvaro MunozGHSL-2023-058_GHSL-2023-059: ZipSlip in Jenkins Pipeline Utility Steps Plugin - CVE-2023-32981
Jenkins Pipeline Utility Steps Plugin 2.15.1 and earlier allows attackers able to manipulate a TAR or ZIP file extracted by the plugin to create or replace any file on the file system.
GitHub Security LabGHSL-2023-055: XML external entity (XXE) or server-side request forgery (SSRF) in SAML SSO Jenkins Plugin - CVE-2023-32991, CVE-2023-32992
Authenticated attackers can send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, as well as server-side request forgery.
GitHub Security LabGHSL-2023-046: Local Privilege Escalation in sccache - CVE-2023-1521
If the server is run as root (which is the default when installing the snap package), a user running the sccache client can get root privileges.
GitHub Security LabGHSL-2022-127: Free Memory Access in Arm Mali - CVE-2022-46395
Imported memory from user space can be accessed after it has been freed
Man Yue MoGHSL-2022-042: Remote Code Execution in Chromium - CVE-2022-1134
A type confusion in v8 can lead to remote code execution in the Chrome renderer sandbox.
Man Yue MoGHSL-2023-085: Authentication bypass in libssh - CVE-2023-2283
The public key signature checking code in pki_verify_data_signature has a logic bug, which, under certain conditions, could enable an attacker to bypass the check.
Kevin BackhouseGHSL-2023-032_GHSL-2023-042: Denial of Service in libssh - CVE-2023-1667
The libssh server logic does not correctly handle SSH_MSG_KEXINIT packets sent after a client authenticates which can allow an attacker to trigger a NULL pointer dereference, causing a denial-of-service. In addition, there are a number of memory leaks in the GSSAPI integration which may allow an attacker to trigger memory exhaustion, causing a denial-of-service.
Phil TurnbullGHSL-2023-001: ReDoS in SQLparse - CVE-2023-30608
SQLparse has a ReDoS (regular expression denial of service) in the parser for SQL expressions.
GitHub Security LabGHSL-2023-031: Quadratic complexity algorithm in cmark - CVE-2023-24824
A crafted markdown document can trigger a quadratic complexity algorithm in cmark.
Kevin BackhouseGHSL-2022-101_GHSL-2022-108: SQL injection in Archery - CVE-2023-30552, CVE-2023-30553, CVE-2023-30554, CVE-2023-30605, CVE-2023-30558, CVE-2023-30557, CVE-2023-30556, CVE-2023-30555
The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.
Sylwia BudzynskaGHSL-2023-047_GHSL-2023-049: Denial of Service (DoS) in comrak - CVE-2023-28626, CVE-2023-28631
A number of quadratic parsing issues can allow an attacker to trigger a denial-of-service via excessive CPU usage or excessive memory usage. In addition, an architectural design decision in the AST module could allow attackers to trigger a denial-of-service in applications building ASTs programmatically.
Phil TurnbullGHSL-2022-138: open redirect in lorawan stack - CVE-2023-26494
An open redirect exists on the login page of the lorawan stack server, allowing an attacker to supply a user controlled redirect upon sign in.
Kevin StubbingsGHSL-2023-023: Type confusion in the Chrome renderer - CVE-2023-1214
Type confusion in the Chrome renderer reachable from a malicious website.
Man Yue MoGHSL-2023-005: GPU memory accessed after it's freed
GPU memory can be accessed after it is freed
Man Yue MoGHSL-2023-051: Command Injection in React Native OneSignal SDK - CVE-2023-28430
React Native OneSignal SDK repository is vulnerable to a Command Injection in Zapier.yml.
Jorge RosilloGHSL-2023-027: Command Injection in Cocos - CVE-2023-26493
Cocos Engine is vulnerable to a Command Injection in web-interface-check.yml.
Jorge RosilloGHSL-2022-129: XML External Entity (XXE) injection in GeoNode - CVE-2023-26043
GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.
Jorge RosilloGHSL-2022-094: Remote Code Execution in discordrb - CVE-2023-28102
The encode_file method may lead to remote code execution if invoked with untrusted user-controlled data.
GitHub Security LabGHSL-2021-110: ReDoS in validators
validators contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2021-109: ReDoS in textacy
textacy contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2023-016_GHSL-2023-018: Out-of-Bounds Read in the MIT Kerberos V5 (krb5) library
Multiple vulnerabilities in the MIT Kerberos V5 (krb5) library can trigger an out-of-bounds read when parsing and verifying SPNEGO tokens.
Phil TurnbullGHSL-2022-131: XML External Entities (XXE) injection in OWSLib - CVE-2023-27476
OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.
Jorge RosilloGHSL-2022-121_GHSL-2022-123: Multiple vulnerabilities in Apollo Configuration Management System - CVE-2023-25569, CVE-2023-25570
Apollo Configuration Management System is affected by multiple security vulnerabilities, including Post-Auth Remote Code Execution via SPeL evaluation, Improper Authorization in Eureka Service Discovery and Cross Site Request forgery.
Michael StepankinGHSL-2022-076_GHSL-2022-083: Multiple vulnerabilities in DataHub - CVE-2023-25557, CVE-2022-39366, CVE-2023-25559, CVE-2023-25560, CVE-2023-25561, CVE-2023-25562, CVE-2023-25558, CVE-2023-25580
Multiple vulnerabilities were found in DataHub: SSRF, XSS, JSON Injection, Deserialization of Untrusted Data and Cypher Injection.
GitHub Security LabGHSL-2023-010_GHSL-2023-014: Denial of Service (DoS) and memory corruption in gss-ntlmssp - CVE-2023-25563, CVE-2023-25564, CVE-2023-25565, CVE-2023-25566, CVE-2023-25567
Multiple vulnerabilities in the gss-ntlmssp library can allow remote attackers to trigger a denial-of-service or memory corruption in applications using NTLM authentication.
Phil TurnbullGHSL-2022-092: Physical memory access by untrusted app in Qualcomm Adreno GPU - CVE-2022-25664
A vulnerability in the Adreno GPU allows physical memory to be read by an untrusted app.
Man Yue MoGHSL-2022-128: Quadratic complexity algorithm in cmark - CVE-2023-22486
A crafted markdown document can trigger a quadratic complexity algorithm in cmark.
Kevin BackhouseGHSL-2022-118: Out-of-bounds read in cmark-gfm - CVE-2023-22485
A crafted markdown document can trigger an out-of-bounds read in cmark-gfm.
Kevin BackhouseGHSL-2022-098: Quadratic complexity algorithm in cmark - CVE-2023-22484
A crafted markdown document can trigger a quadratic complexity algorithm in cmark.
Kevin BackhouseGHSL-2022-088, GHSL-2022-089, GHSL-2022-090, GHSL-2022-091, GHSL-2022-099, GHSL-2022-109, GHSL-2022-110, GHSL-2022-111, GHSL-2022-120, GHSL-2022-126: Quadratic complexity algorithms in cmark-gfm - CVE-2023-22483
A crafted markdown document can trigger a quadratic complexity algorithm in cmark-gfm. Since cmark-gfm is used for rendering markdown on https://github.com/, this vulnerability could be used in a denial-of-service attack on GitHub.
Kevin BackhouseGHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app - CVE-2023-24804, CVE-2023-23948
The Owncloud Android app uses content providers to manage its data. The provider FileContentProvider has SQL injection vulnerabilities that allow malicious applications or users in the same device to obtain internal information of the app. The app also handles externally-provided files in the activity ReceiveExternalFilesActivity, where potentially malicious file paths are not properly sanitized, allowing attackers to read from and write to the application's internal storage.
GitHub Security LabGHSL-2022-132_GHSL-2022-133: Server-Side Request Forgery (SSRF) and Path Injection in Metersphere - CVE-2022-23544, CVE-2022-23512
Metersphere is vulnerable to Server-Side Request Forgery and Path Injection.
Jorge RosilloGHSL-2023-004: Arbitrary file upload and download in act - CVE-2023-22726
The artifact server that stores artifacts from GitHub Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a GitHub Action.
Kevin StubbingsGHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377
On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.
Kevin StubbingsGHSL-2022-054: Use-after-free (UAF) in the Arm Mali Kernel driver - CVE-2022-38181
Use-after-free in the Arm Mali GPU kernel driver
Man Yue MoGHSL-2022-061: Bearer token disclosure in ghinstallation - CVE-2022-39304
Bearer token gets disclosed when there is an error during token renewal
GitHub Security LabGHSL-2021-1010: Authentication bypass in Alpine - CVE-2022-23554
The `AuthenticationFilter` can be bypassed
Alvaro MunozGHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553
URL access filters (block and allow list) are subject to be bypassed
Alvaro MunozGHSL-2020-295: ReDoS (Regular Expression Denial of service) in is.js - CVE-2020-26302
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2022-112_GHSL-2022-115: Remote denial of service in Linux kernel WILC1000 wireless driver - CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521
Multiple vulnerabilities in the Linux kernel Microchip WILC1000 802.11 wireless driver can allow remote and local attackers to trigger a denial of service when parsing management frames.
Phil TurnbullGHSL-2022-070_GHSL-2022-072: SQL injection in Arches - CVE-2022-41892
The Arches project contains multiple blind SQL injection vulnerabilities, that allow an attacker to query the underlying database.
Sylwia BudzynskaGHSL-2022-130: Out-of-bounds (OOB) read in openrazer - CVE-2022-23467
A malicious device can send a USB report to the openrazer razermouse driver, resulting in an out-of-bounds (OOB) read.
Kevin StubbingsGHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team
codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.
GitHub Security LabGHSL-2022-068: Remote Code Execution (RCE) in PDFMake - CVE-2022-46161
The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server, which flows to eval().
GitHub Security LabGHSL-2022-073: Denial of Service (DoS) in Fat Free CRM - CVE-2022-39281
A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.
Peter StöckliGHSL-2022-069: Remote Code Execution (RCE) in CircuitVerse - CVE-2022-36038
A remote code execution (RCE) vulnerability in CircuitVerse allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Peter StöckliGHSL-2022-067: Remote Code Execution (RCE) in Fluentd - CVE-2022-39379
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Peter StöckliGHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006
A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Peter StöckliGHSL-2022-062: Arbitrary File Read in Tasks.org Android app - CVE-2022-39349
A malicious or compromised application in the same device could force Tasks.org to copy files from its internal storage to the external storage directory, where they become accessible to any component with permission to read the external storage.
GitHub Security LabGHSL-2022-035: Integer Overflow in git shell - CVE-2022-39260
An integer overflow in git shell can be exploited by a remote attacker to read and write out-of-bounds memory. This could potentially enable an attacker to execute arbitrary code on a git server.
Kevin BackhouseGHSL-2022-018: Arbitrary Code Execution in Apache Commons Text - CVE-2022-42889
The StringSubstitutor default interpolators may lead to unsafe script evaluation and arbitrary code execution
Alvaro MunozGHSL-2022-066: Stack Buffer Overflow in iowow - CVE-2022-23462
There is a stack buffer overflow present in iowow that allows for Denial of Service (DOS) when it parses scientific notation numbers present in JSON.
Kevin StubbingsGHSL-2022-036: Arbitrary CSS injection in mermaid.js - CVE-2022-31108
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.
Agustin GianniGHSL-2022-049: Stack exhaustion in jsonxx - CVE-2022-23460
Stack exhaustion while parsing JSON text.
Jaroslav LobacevskiGHSL-2022-048: Double free in jsonxx - CVE-2022-23459
Double free or Use after Free in Value class
Jaroslav LobacevskiGHSL-2022-033_GHSL-2022-034: SpEL Injection in Nepxion/Discovery - CVE-2022-23463, CVE-2022-23464
Nepxion/Discovery is vulnerable to SpEL Injection in discovery-commons and a potential SSRF in discovery-plugin-admin-center.
Jorge RosilloGHSL-2022-030: Cross-Site Scripting (XSS) in Jodit Editor 3 - CVE-2022-23461
Jodit Editor 3 is vulnerable to XSS attacks when pasting specially constructed input.
GitHub Security LabGHSL-2022-025: Regular Expression Denial of Service (ReDoS) in Apache OFBiz - CVE-2022-29158
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Specially crafted URLs may cause catastrophic backtracking, taking exponential time to complete.
GitHub Security LabGHSL-2022-043: Remote Code Execution (RCE) in the Chrome renderer - CVE-2022-1869
Type confusion in v8 that can lead to remote code execution in the Chrome renderer.
Man Yue MoGHSL-2022-029: XSS in Toast UI Grid - CVE-2022-23458
The nhn/tui.grid component is vulnerable to XSS attacks when pasting specially crafted content into editable cells.
GitHub Security LabGHSL-2022-024: Regular Expression Denial of Service (ReDoS) in the Azure SDK for Java.
The Azure SDK for Java up to version 1.5.0-beta2 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it validates tenant IDs. Specially crafted IDs may cause catastrophic backtracking, taking exponential time to complete.
GitHub Security LabGHSL-2022-023: Regular Expression Denial of Service (ReDoS) in Apache Ignite
Apache Ignite up to version 2.12.0 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles table names when requesting primary keys through its JDBC driver. Specially crafted table names may cause catastrophic backtracking, taking exponential time to complete.
GitHub Security LabGHSL-2022-022: Regular Expression Denial of Service (ReDoS) in Tapestry - CVE-2022-31781
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.
GitHub Security LabGHSL-2022-021: Regular Expression Denial of Service (ReDoS) in Apache Tika - CVE-2022-30126, CVE-2022-33879
Apache Tika up to version 1.28.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles standard references in text files. Specially crafted files may cause catastrophic backtracking, taking exponential time to complete.
GitHub Security LabGHSL-2022-001: Deserialization vulnerability in Orckestra C1 CMS - CVE-2022-24789
Deserialization of untrusted data allows for Server Side Request Forgery (SSRF) or arbitrary file truncation.
Jaroslav LobacevskiGHSL-2021-1013_1028: Arbitrary code injection in nbconvert leads to several Cross-Site Scripting (XSS) vulnerabilities - CVE-2021-32862
When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to Cross-Site Scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer)
Alvaro MunozGHSL-2022-046: Arbitrary Intent in WordPress for Android leads to read and write access
The WordPress for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in WordPress for Android.
GitHub Security LabGHSL-2021-111: ReDoS (Regular Expression Denial of Service) in Dependency Parser - CVE-2022-39280
Dependency Parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2022-053: Use-after-free in alias memory of the Arm Mali gpu kernel driver - CVE-2022-20186
Improper validation of input data can lead to free'd memory being accessible from the GPU, which can lead to arbitrary memory access.
Man Yue MoGHSL-2022-017: Arbitrary command execution through Apache Commons Configuration - CVE-2022-33980
Attackers able to control a configuration file or property may be able to run arbitrary system commands
Alvaro MunozGHSL-2022-038: Use After Free (UAF) in Qualcomm NPU driver - CVE-2022-22068
There is a use-after-free vulnerability in the Qualcomm NPU driver.
Man Yue MoGHSL-2022-037: Use After Free (UAF) in Qualcomm kgsl driver - CVE-2022-22057
There is a use-after-free vulnerability in the Qualcomm kgsl driver.
Man Yue MoGHSL-2021-1044: Cross-Site Scripting (XSS) in iziModal - CVE-2021-32860
iziModal is prone to XSS when handling untrusted modal titles.
GitHub Security LabGHSL-2021-1005: Copy-paste XSS in Microweber text editor - CVE-2021-32856
Copy-paste XSS in Microweber text editor
GitHub Security LabGHSL-2022-031_GHSL-2022-032: Type confusion in Nokogiri leads to memory leak or DoS - CVE-2022-29181
Two type confusion issues while processing malicious data can be used to leak the contents of memory or cause a denial-of-service.
Agustin GianniGHSL-2021-1042: XSS in Baremetrics - CVE-2021-32859
Baremetrics Date Range Picker is prone to XSS when handling untrusted placeholder entries.
GitHub Security LabGHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612
Function unpackEntries during TAR extraction follows symbolic links (symlinks) which allows writing outside expected base directory on Windows.
Jaroslav LobacevskiGHSL-2022-008: Path traversal in the OWASP Enterprise Security API (ESAPI)- CVE-2022-23457
Function getValidDirectoryPath incorrectly treats sibling of a root directory as a child.
Jaroslav LobacevskiGHSL-2021-1035: Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857
Bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues.
GitHub Security LabGHSL-2021-1034: HTML sanitizer bypass leading to XSS in esdoc-publish-html-plugin - CVE-2021-32858
The esdoc-publish-html-plugin HTML sanitizer can be bypassed which may lead to cross-site scripting (XSS) issues.
GitHub Security LabGHSL-2021-1006: Copy-paste XSS in vditor text editor - CVE-2021-32855
Copy-paste XSS in vditor text editor
GitHub Security LabGHSL-2021-1001: Copy-paste XSS in textAngular text editor - CVE-2021-32854
Copy-paste XSS in textAngular text editor
GitHub Security LabGHSL-2022-007: Partial path traversal in Apache Felix Atomos
Partial path traversal allows to break out of expected folder.
Jaroslav LobacevskiGHSL-2022-005_GHSL-2022-006: Partial path traversal in Apache Karaf - CVE-2022-22932
Partial path traversal allows to break out of expected folder.
Jaroslav LobacevskiGHSL-2022-004: Partial path traversal in Apache Pinot
Partial path traversal allows to break out of expected folder.
Jaroslav LobacevskiGHSL-2022-002_GHSL-2022-003: Partial path traversal in Apache James Server - CVE-2022-22931
Partial path traversal allows to break out of expected folder and access another user's mailbox.
Jaroslav LobacevskiGHSL-2022-009: HTML content sanitization bypass allowing to execute JavaScript code in CKEditor 4 - CVE-2022-24728
The HTML content sanitization in ckeditor4 can be bypassed, enabling Javascript code to be executed in the browser.
GitHub Security LabGHSL-2021-070: Command injection in react-dev-utils - CVE-2020-1920
There exists a command injection in the react-dev-utils npm package, which is a part of Facebook's facebook/create-react-app repository.
GitHub Security LabGHSL-2021-077: Local denial of service in polkit - CVE-2021-4115
There is a file descriptor leak in polkit, which can enable an unprivileged user to cause polkit to crash, due to file descriptor exhaustion.
Kevin BackhouseGHSL-2021-1011: Double free in accountsservice - CVE-2021-3939
accountsservice has a double-free bug, which can be triggered by an unprivileged local user, by calling the SetLanguage D-Bus method.
Kevin BackhouseGHSL-2021-104: Cross-Site Scripting in countly-server - CVE-2021-32852
Template snippet in reset.html vulnerable to code injection.
GitHub Security LabGHSL-2021-103: Cross-Site Scripting (XSS) in Erxes - CVE-2021-32853
Template tag in widgets.ejs is vulnerable to code injection.
GitHub Security LabGHSL-2021-1007: SQL Injection and insufficient permission control in Nextcloud Android app - CVE-2021-43863, CVE-2021-41166
The Nextcloud Android app uses content providers to manage its data. The providers FileContentProvider and DiskLruImageCacheFileProvider have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system.
GitHub Security LabGHSL-2021-001: Command Injection and Script Injection in Saagie create and close issue workflows
The close_issue.yml and create_issue.yml GitHub workflows in saagie/sdk, saagie/technologies-plugin and saagie/technologies repositories are vulnerable to arbitrary command/script injection.
Jaroslav LobacevskiGHSL-2021-119: ReDoS (Regular Expression Denial of Service) in H20
H2O contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2021-1058_GHSL-2021-1060: Cross-Site Scripting (XSS) in mermaid.js
Incorrect sanitization function leads to XSS.
GitHub Security LabGHSL-2021-1048_GHSL-2021-1051: Command injection in Apache Kylin - CVE-2021-45457, CVE-2021-45456, CVE-45458
Multiple vulnerabilities where found on Apache Kylin leading to Command injection.
GitHub Security LabGHSL-2021-1037_GHSL-2021-1038: Improper sanitization of data URLs and style attributes in lxml HTML Sanitizer - CVE-2021-43818
The lxml HTML sanitizer fails to properly sanitize data URLs and style attributes
Alvaro MunozGHSL-2020-313: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of BitByte-TPC/first-bit
The auto_merge.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2021-1054_GHSL-2021-1055: Unsafe Deserialization in log4j2 - CVE-2021-45046
The mitigations to restrict the hosts that a LDAP lookup can connect to, and the classes that can be deserialized are bypassable.
Alvaro MunozGHSL-2021-1053: Path traversal in Grafana REST API - CVE-2021-43813, CVE-2021-43815
A path traversal vulnerability was found in Grafana REST API
Alvaro MunozGHSL-2021-1047: Cross-Site Scripting (XSS) in Mind-elixir - CVE-2021-32851
Mind-elixir is prone to XSS when handling untrusted menus.
GitHub Security LabGHSL-2021-1045: Cross-Site Scripting (XSS) in jQuery MiniColors Plugin - CVE-2021-32850
jQuery MiniColors Plugin is prone to XSS when handling untrusted color names.
GitHub Security LabGHSL-2021-099: ReDoS (Regular Expression Denial of Service) in Solidus - CVE-2021-43805
A user of the system can provide an email address containing a specifically crafted string that will trigger a ReDoS vulnerability when checking out an order.
GitHub Security LabGHSL-2020-183: Arbitrary command injection in GitHub workflows of Checkstyle
The diff_report.yml and site.yml GitHub workflows are vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-113: ReDoS (Regular Expression Denial of Service) in JS Beautifier
JS Beautifier contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2021-125: Path traversal in SharpZipLib - CVE-2021-32840, CVE-2021-32841, CVE-2021-32842
SharpZipLib allows full or partial (depending on the version) traversal of the extraction path.
Jaroslav LobacevskiGHSL-2021-122: ReDoS (Regular Expression Denial of Service) in Frappe
Frappe contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2021-121: ReDoS (Regular Expression Denial of Service) in StreamAlert
StreamAlert contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2021-117: ReDoS (Regular Expression Denial of Service) in python-ldap
python-ldap contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2021-115: ReDoS (Regular Expression Denial of Service) in Spyne
Spyne contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2021-1033: Intent URI permission manipulation in Nextcloud News for Android - CVE-2021-41256
The Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.
GitHub Security LabGHSL-2021-1032: Unauthorized repository modification or secrets exfiltration from a Pull Request in Solana GitHub workflow
Explorer GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
GitHub Security LabGHSL-2021-082: Path traversal in SharpCompress - CVE-2021-39208
WriteEntryToDirectory used for an archive extraction is vulnerable to partial path traversal.
Jaroslav LobacevskiGHSL-2021-1043: Cross-Site Scripting (XSS) in emoji-button - CVE-2021-43785
emoji-button is prone to XSS when handling untrusted emojis.
Agustin GianniGHSL-2021-100: ReDoS (Regular Expression Denial of Service) in Octobox - CVE-2021-32848
A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.
GitHub Security LabGHSL-2021-076: Arbitrary command execution in Gerapy - CVE-2021-32849
An authenticated attacker can execute arbitrary commands on the system.
GitHub Security LabGHSL-2021-1031: Information leak in Qualcomm npu driver - CVE-2021-1969
Information leak in Qualcomm npu driver due to use of uninitialized variable
Man Yue MoGHSL-2021-1030: Information leak in Qualcomm npu driver - CVE-2021-1968
Information leak in Qualcomm npu driver
Man Yue MoGHSL-2021-1029: Use-after-free (UaF) in Qualcomm npu driver - CVE-2021-1940
Use-after-free in Qualcomm npu driver
Man Yue MoGHSL-2021-102: ReDoS (Regular Expression Denial of Service) in Fluentd - CVE-2021-41186
parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.
GitHub Security LabGHSL-2021-086: Unsafe Deserialization in Apache Storm supervisor - CVE-2021-40865
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE)
Alvaro MunozGHSL-2021-085: Command injection in Apache Storm Nimbus - CVE-2021-38294
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm Nimbus server allowing pre-auth Remote Code Execution (RCE)
Alvaro MunozGHSL-2021-120: ReDoS (Regular Expression Denial of Service) in Apprise
Apprise contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2021-116: ReDoS (Regular Expression Denial of Service) in pydal
pydal contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2021-112: ReDoS (Regular Expression Denial of Service) in Calibre
calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2021-1012: Poor random number generation in keypair - CVE-2021-41117
keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output.
GitHub Security LabGHSL-2021-118: ReDoS (Regular Expression Denial of Service) in Zulip - CVE-2021-41115
Zulip contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
GitHub Security LabGHSL-2020-348: ReDoS (Regular Expression Denial of Service) in DevExtreme
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-304: ReDoS (Regular Expression Denial of Service) in CyberChef
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-292: ReDoS (Regular Expression Denial of Service) in CKEditor 5 - CVE-2021-21254
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2021-058: Disclosure of the host memory into the virtualized guest in hyperkit - CVE-2021-32847
A malicious guest can trigger a vulnerability in the host by abusing the disk driver that may lead to disclosure of the host memory into the virtualized guest.
Agustin GianniGHSL-2021-054_057: Code execution outside the virtualized guest in hyperkit - CVE-2021-32843, CVE-2021-32844, CVE-2021-32845, CVE-2021-32846
A malicious guest can trigger vulnerabilities in the host by abusing certain drivers that may lead to code execution outside the virtualized guest.
Agustin GianniGHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528
There is a Use After Free vulnerability (UAF) in InternalAuthenticatorAndroid::InvokeIsUserVerifyingPlatformAuthenticatorAvailableResponse
Man Yue MoGHSL-2021-1002: Copy-paste XSS in jSuites editor - CVE-2021-41086
Copy-paste XSS in jSuites editor
GitHub Security LabGHSL-2021-107: ReDoS (Regular Expression Denial of Service) in python-sqlparse - CVE-2021-32839
python-sqlparse contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2021-1004: Copy-paste XSS in Threema Web text editor
Copy-paste XSS in Threema Web text editor
Alvaro MunozGHSL-2021-097: Pre-Auth Unsafe Java Deserialization in Apace Dubbo - CVE-2021-37579
Apache Dubbo is vulnerable to pre-Auth Unsafe Java Deserialization
Alvaro MunozGHSL-2021-123: ReDoS (Regular Expression Denial of Service) in Flask RESTX - CVE-2021-32838
Flask RESTX contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2021-108: ReDoS (Regular Expression Denial of Service) in mechanize - CVE-2021-32837
mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Kevin BackhouseGHSL-2020-123: Command injection in mscdex/ssh2 - CVE-2020-26301
The agent method has a command injection vulnerability on Windows. Clients of the mscdex/ssh2 library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Kevin BackhouseGHSL-2020-112: Command injection in systeminformation - CVE-2020-26300
The si.services method has a command injection vulnerability. Clients of the systeminformation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Kevin BackhouseGHSL-2021-088_093: Code execution outside the virtualized guest in bhyve - CVE-2021-29631
A malicious guest can trigger vulnerabilities in the host by abusing certain drivers that may lead to code execution outside the virtualized guest.
Agustin GianniGHSL-2021-028: ReDoS (Regular Expression Denial of Service) in mithril.js
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Kevin BackhouseGHSL-2021-094: Multiple RCEs in Apache Dubbo - CVE-2021-36162, CVE-2021-36163
Multiple vulnerabilities have been found in Apache Dubbo enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.
Alvaro MunozGHSL-2021-087: Pre-auth unsafe deserialization in ZStack - CVE-2021-32836
ZStack REST API is vulnerable to pre-auth unsafe deserialization
Alvaro MunozGHSL-2021-063: Arbitrary code execution in Eclipse Keti - CVE-2021-32834
A user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox.
Alvaro MunozGHSL-2021-051: Unauthenticated file read in Emby Server - CVE-2021-32833
Emby Server allows unauthenticated file read.
Jaroslav LobacevskiGHSL-2021-098: ReDoS in OpenProject - CVE-2021-32763
A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.
GitHub Security LabGHSL-2021-072: Reflected Cross-Site Scripting (XSS) leading to Remote Code Execution (RCE) in Nuxeo - CVE-2021-32828
The oauth2 REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.
Alvaro MunozGHSL-2021-066: DoS and RCE in totaljs
An attacker can execute abitrary javascript code
GitHub Security LabGHSL-2021-065: Post-authentication Remote Code Execution (RCE) in ZStack REST API - CVE-2021-32829
ZStack REST API is vulnerable to post-authentication Remote Code Execution (RCE) via bypass of the Groovy shell sandbox
Alvaro MunozGHSL-2021-061: Command injection in @diez/generation - CVE-2021-32830
The locateFont method has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Alvaro MunozGHSL-2021-059: Arbitrary code execution in MockServer - CVE-2021-32827
An attacker that can trick a victim into visiting a malicious site while running MockServer locally, will be able to run arbitrary code on the MockServer machine.
Alvaro MunozGHSL-2021-053: Remote code execution in Proxyee-Down - CVE-2021-32826
An attacker being able to provide an extension script (eg: through a MiTM attack or by hosting a malicious extension) may be able to run arbitrary commands on the system running Proxyee-Down.
Alvaro MunozGHSL-2021-033: Arbitrary code execution in GitHub workflows of game-ci
The main.yml, kubernetes-tests.yml, test.yml and build-tests.yml GitHub workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-364: Unauthorized repository modification or secrets exfiltration in GitHub workflows of apache/camel-website
The pr.yaml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-310: ReDoS (Regular Expression Denial of Service) in Rocket Chat - CVE-2021-32832
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-258: ZipSlip vulnerability in bblfshd - CVE-2021-32825
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
GitHub Security LabGHSL-2021-073: Post-authentication unsafe reflection in NSA Emissary - CVE-2021-32647
A logged-in user can invoke the constructor of some classes with untrusted data.
Alvaro MunozGHSL-2021-067_068: Post-authentication Unsafe Deserialization and Server-Side Request Forgery (SSRF) in NSA Emissary - CVE-2021-32634, CVE-2021-32639
Emissary is vulnerable to post-authentication Unsafe Deserialization and Server-Side Request Forgery (SSRF)
Alvaro MunozGHSL-2020-227: Server-Side Template Injection leading to unauthenticated Remote Code Execution in SCIMono - CVE-2021-21479
A Server-Side Template Injection was identified in SCIMono enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2021-083: Type confusion in scripttag leads to XSS - CVE-2021-32696
A type-confusion vulnerability leads scriptags to incorrectly sanitize dangerous inputs when an attacker is able to send an array (instead of a string) to the striptags function.
GitHub Security LabGHSL-2021-078_081: Host memory disclosure in libslirp - CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595
The library libslirp contains three uninitialized memory vulnerabilities that may allow an attacker to leak host memory into a guest
Agustin GianniGHSL-2021-074: Local privilege escalation on any Linux system that uses polkit - CVE-2021-3560
There is an authentication bypass vulnerability in polkit, which enables an unprivileged user to get authorization from polkit to perform a privileged action.
Kevin BackhouseGHSL-2021-064: Arbitrary code execution in Netflix NdBench
An attacker may get arbitrary code execution on NDBench servers by providing arbitrary Groovy scripts.
Alvaro MunozGHSL-2021-034_043: Multiple pre-auth RCEs in Apache Dubbo - CVE-2021-25641, CVE-2021-30179, CVE-2021-30180, CVE-2021-30181, CVE-2021-32824
Multiple vulnerabilities have been found in Apache Dubbo enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.
Alvaro MunozGHSL-2021-075: Path injection in Django - CVE-2021-33203
A Path Injection issue was found in django that allows a malicious admin user to disclose the presence of files on the file-system if the module django.contrib.admindocs is enabled.
GitHub Security LabGHSL-2020-293: Regular expression Denial of Service in react-native - CVE-2020-1920
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2021-020: File disclosure in hbs - CVE-2021-32822
By allowing template engine configuration options to be passed through the Express render API directly, downstream users of an Express template engine may inadvertently introduce insecure behavior into their applications with impacts ranging from Cross Site Scripting (XSS) to Remote Code Execution (RCE)
Agustin GianniGHSL-2020-345: Regular expression Denial of Service in mootools - CVE-2021-32821
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2021-027: Regular expression Denial of Service in ProtonMail - CVE-2021-32816
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Kevin BackhouseGHSL-2021-025: Remote code execution and Reflected cross site scripting in haml-coffee - CVE-2021-32818
By allowing template engine configuration options to be passed through the Express render API directly, downstream users of an Express template engine may inadvertently introduce insecure behavior into their applications with impacts ranging from Cross Site Scripting (XSS) to Remote Code Execution (RCE)
Agustin GianniGHSL-2021-023: Remote code execution in squirrelly - CVE-2021-32819
By allowing template engine configuration options to be passed through the Express render API directly, downstream users of an Express template engine may inadvertently introduce insecure behavior into their applications with impacts ranging from Cross Site Scripting (XSS) to Remote Code Execution (RCE)
Agustin GianniGHSL-2021-019: File disclosure in express-hbs - CVE-2021-32817
By allowing template engine configuration options to be passed through the Express render API directly, downstream users of an Express template engine may inadvertently introduce insecure behavior into their applications with impacts ranging from Cross Site Scripting (XSS) to Remote Code Execution (RCE)
Agustin GianniGHSL-2021-018: File disclosure in Express Handlebars - CVE-2021-32820
By allowing template engine configuration options to be passed through the Express render API directly, downstream users of an Express template engine may inadvertently introduce insecure behavior into their applications with impacts ranging from Cross Site Scripting (XSS) to Remote Code Execution (RCE)
Agustin GianniGHSL-2021-026: ReDoS in NodeRedis - CVE-2021-29469
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Kevin BackhouseGHSL-2020-337_338: Arbitrary code execution when cloning/checking out a Gradle project - CVE-2021-29263
Upon cloning or checking out a Gradle project from an external repository (Get from VCS), both IntelliJ IDEA and Android Studio, run the gradle build task.
Alvaro MunozGHSL-2021-032: Template object injection in Mailtrain - CVE-2021-27136
Dangerous usage of the template rendering API may lead to Cross Site Scripting (XSS), file disclosure, and Remote Code Execution (RCE).
Agustin GianniGHSL-2021-005: Unauthorized repository modification or secrets exfiltration in GitHub workflows of OpenRefine
The pull_request.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2021-003: Unauthorized repository modification or secrets exfiltration in GitHub workflows of alisw/alidist and alisw/ali-bot
Multiple branches of recipe-checks.yml and pr-check.yml GitHub workflows are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-325: Authentication bypass in Nacos - CVE-2021-29441, CVE-2021-29442
When enabled, Nacos authentication can be bypassed which enables an attacker to access any console or REST API endpoints.
Alvaro MunozGHSL-2021-062: Command injection in @thi.ng/egf - CVE-2021-21412
The gpg method has a command injection vulnerability. Clients of the @thi.ng/egf library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Alvaro MunozGHSL-2021-060: Command injection in @prisma/sdk - CVE-2021-21414
The getPackedPackage method has a command injection vulnerability. Clients of the @prisma/sdk library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Alvaro MunozGHSL-2021-024: Reflected Cross Site Scripting in eta
A misuse of the ExpressJS render API can lead to insecure behaviours from Cross Site Scripting (XSS) to Remote code execution (RCE)
Agustin GianniGHSL-2021-022: Remote code execution in whiskers
A misuse of the ExpressJS render API can lead to insecure behaviours from Cross Site Scripting (XSS) to Remote code execution (RCE)
Agustin GianniGHSL-2021-021: Remote code execution in ejs
A misuse of the ExpressJS render API can lead to insecure behaviours from Cross Site Scripting (XSS) to Remote code execution (RCE)
Agustin GianniGHSL-2020-373: Command injection in node-notifier
node-notifier recently addressed a command injection vulnerability with an insufficient fix, resulting in command injection through malicious input still being possible.
GitHub Security LabGHSL-2020-357: ReDoS (Regular Expression Denial of Service) in amazeui
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-352: ReDoS (Regular Expression Denial of Service) in revalidator
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-350: ReDoS (Regular Expression Denial of Service) in ng2-validation
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-339: Command Injection vulnerability in OMF
A Command Injection vulnerability has been found in Open Modeling Framework (OMF)
GitHub Security LabGHSL-2020-336: reflected Cross-Site scripting (XSS) in analytics-quarry-web - CVE-2020-36324
A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web
GitHub Security LabGHSL-2020-130: CSRF in mongo-express
Mongo-express uses csurf middleware to protect the application against CSRF attacks. Unfortunately it does so in an incorrect way which leaves mongo-express vulnerable to the attack.
Agustin GianniGHSL-2020-372: Unauthorized repository modification or secrets exfiltration in GitHub workflows of 418sec/huntr
The process-disclosure.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2021-050: Unauthenticated arbitrary file read in Jellyfin - CVE-2021-21402
Jellyfin allows unauthenticated arbitrary file read.
Jaroslav LobacevskiGHSL-2021-047: unauthorized repository modification or secrets exfiltration in GitHub workflows of zwavejs2mqtt
The zwave-js-bot.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration.
Jaroslav LobacevskiGHSL-2021-046: Command injection in a GitHub workflow of AmazeFileManager
The android-debug-artifact-ondemand.yml GitHub workflow is vulnerable to command injection.
Jaroslav LobacevskiGHSL-2021-044: Command injection in a GitHub workflow of Homebrew/brew
The vendor-gems.yml GitHub workflow is vulnerable to command injection.
Jaroslav LobacevskiGHSL-2021-031: Script injection in a GitHub workflow of hasura/graphql-engine
The shadow-pr.yml GitHub workflow is vulnerable to script injection.
Jaroslav LobacevskiGHSL-2020-131: Remote Code Execution in mongo-express - CVE-2020-24391
Mongo-express uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to RCE in the context of the node server.
Agustin GianniGHSL-2020-050: Arbitrary code execution in Pebble Templates
When Spring integration is enabled, an attacker that is able to modify Template contents may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container.
Alvaro MunozGHSL-2020-021: Bypass input sanitization of EL expressions in Eclipse-EE4J
A bug in the `ELParserTokenManager` enables invalid EL expressions to be evaluated as if they were valid, enabling attackers to bypass input sanitation.
Alvaro MunozGHSL-2021-052: Potential local Denial of Service in systemd
There is an infinite loop in systemd-ask-password, due to an integer overflow in an error handling code path. The bug can be triggered by entering an invalid unicode character followed by backspace.
Kevin BackhouseGHSL-2021-049: Type confusion vulnerability in the varlink interface of systemd-resolved
There is potential type confusion vulnerability in the varlink interface of systemd-resolved. This is due to the userdata field of the Varlink struct being used to store two unrelated datatypes: Manager and DnsQuery.
Kevin BackhouseGHSL-2021-045: Integer Overflow in GLib - CVE-2021-27219
The function g_bytes_new has an integer overflow due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to a memory corruption vulnerability.
Kevin BackhouseGHSL-2020-358: Regular expression Denial of Service in Schema-Inspector
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-331: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of appsmith
The client.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-323: Template injection in a GitHub workflow of geek-cookbook
The 'on-push-master-notify-discord.yml' GitHub workflow is vulnerable to template injection.
Jaroslav LobacevskiGHSL-2020-235: Arbitrary command injection in wayou/turn-issues-to-posts-action
The turn-issues-to-posts action is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-324: Template injection in a GitHub workflow of koriwi/freedeck-configurator
The 'develop.yml' GitHub workflow is vulnerable to template injection.
Jaroslav LobacevskiGHSL-2020-277: Unauthorized repository modification or secrets exfiltration in GitHub workflows of w3c/aria-practices
The coverage-report.yml and generate-and-commit-files.yml GitHub workflows are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-375: Use-after-free (UaF) in Qualcomm kgsl driver - CVE-2020-11239
Use-after-free in kgsl_ioctl_gpuobj_import and kgsl_ioctl_map_user_mem of the Qualcomm kgsl driver
Man Yue MoGHSL-2020-273: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of numworks/epsilon
The metrics-workflow.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-167: Use-after-free (UaF) in Chrome AudioHandler - CVE-2020-15972, CVE-2021-21114
UaF in AudioHandler::ProcessIfNecessary
Man Yue MoGHSL-2020-166: Use-after-free (UaF) in Chrome PaymentCredential - CVE-2020-16018
UaF in PaymentCredential::DidDownloadFavicon
Man Yue MoGHSL-2020-165: Use-after-free (UaF) in Chrome PaymentAppServiceBridge - CVE-2020-16045
UaF in PaymentAppServiceBridge
Man Yue MoGHSL-2021-009: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of lijinke666/react-music-player
The surge-preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2021-008: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of actions-cool/issue-helper
The surge-preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-349: ReDoS (Regular Expression Denial of Service) in date-and-time - CVE-2020-26289
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-343: ReDoS (Regular Expression Denial of Service) in Vant
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-314: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of s4u/pgpverify-maven-plugin
The pr.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-287: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of jdf2e/nutui
The preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-270: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of ant-design-colorful
The preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-269: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of alibaba/hooks
The preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-268: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of umijs/dumi
The preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-267: Unauthorized repository modification or secrets exfiltration in GitHub workflows of Antvis repositories
Multiple Antvis GitHub workflows are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-266: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of afc163/surge-preview
The design and promoted usage examples of afc163/surge-preview GitHub action makes the consuming workflows vulnerable to arbitrary code execution. The repository of afc163/surge-preview GitHub action falls into the same trap and is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-265: Unauthorized repository modification or secrets exfiltration in GitHub workflows of didi/cube-ui and didi/mand-mobile
The cube-ui/preview.yml and mand-mobile/preview.yml GitHub workflows are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-264: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of youan/vant
The preview.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-246: Unauthorized repository modification or secrets exfiltration in GitHub workflows of ant-design
The ant-design/ui.yml, ant-design-pro/preview.yml and pro-components/preview.yml GitHub workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-048: Remote Code Execution in Apache Velocity - CVE-2020-13936
When Velocity templates are used in the context of a VelocityView an attacker that is able to modify Template contents may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container.
Alvaro MunozGHSL-2020-359: ReDoS (Regular Expression Denial of Service) in etherpad-lite
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-335: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of libpasta
The ci.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2021-048: Unauthorized repository modification or secrets exfiltration in several GitHub workflows of linebender
The bloat.yml GitHub workflow in linebender/druid, linebender/runebender and linebender/norad is vulnerable to unauthorized modification of the base repository or secrets exfiltration.
Jaroslav LobacevskiGHSL-2021-016: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Tautulli
The pull-requests.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-329: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Automattic/jetpack
The dangerci.yml GitHub workflow is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request.
Jaroslav LobacevskiGHSL-2020-228: Weak JSON Web Token (JWT) signing secret in YApi - CVE-2021-27884
Weak random number generator is used to sign JSON Web Token (JWT).
Jaroslav LobacevskiGHSL-2020-199: Open redirect vulnerability in Slashify - CVE-2021-3189
Open redirect in Slashify
GitHub Security LabGHSL-2020-197: Open redirect vulnerability in Ghost
Ghost may be vulnerable to Open redirect attacks
GitHub Security LabGHSL-2021-030: ReDoS (Regular expression Denial of Service in CodeMirror
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2021-017: Command injection in teal-language/tl workflow
The playground.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-015: Command injection in a2o/snoopy workflow
The code-qa-sonarcloud.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-014: Command injection in benjamin-maynard/kubernetes-cloud-mysql-backup workflow
GitHub workflow in benjamin-maynard/kubernetes-cloud-mysql-backup GitHub repository is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-013: Command injection in pythonpune/meetup-talks workflow
GitHub workflow in pythonpune/meetup-talks repository is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-012: Command injection in alan-turing-institute/binderhub-deploy workflow
GitHub workflow in alan-turing-institute/binderhub-deploy GitHub repository is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-011: Command injection in itpp-labs workflows
The DINAR-PORT.yml GitHub workflow in itpp-labs/misc-addons, itpp-labs/website-addons, itpp-labs/access-addons, itpp-labs/l10n-addons, itpp-labs/mail-addons, itpp-labs/pos-addons and itpp-labs/sync-addons repositories is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-010: Command injection in getsentry/onpremise workflow
The validate-new-issue.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2021-007: Arbitrary code execution and shell command injection in dmlc/gluon-nlp workflows
The buildwebsite.yml and unittests-gpu.yml GitHub workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2021-006: Arbitrary code execution in Decathlon/vitamin-web workflow
The build-pr.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2021-004: Arbitrary code execution in aeraki workflows
The e2e-thrift.yaml, e2e-dubbo.yaml and e2e-kafka-zookeeper.yaml GitHub workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-371: Arbitrary code execution in tophat workflows
The GitHub workflows pull-request.yml in multiple branches of tophat/networkjs, tophat/commit-utils, tophat/commit-watch, tophat/sanity-runner and commit-watch.yml in tophat/commit-watch are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-370: Arbitrary code execution and shell command injection in rhinstaller/anaconda workflows
The validate.yml and kickstart-tests.yml GitHub workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-369: Arbitrary code execution in nrfconnect/sdk-nrf workflow
The docbuild.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-367: Arbitrary code execution in android-password-store/Android-Password-Store workflow
The pull_request.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-334: Arbitrary code execution in gsantner workflows
The gsantner/markor build-android-project.yml, gsantner/memetastic build-android-project.yml and gsantner/dandelion link-validator.yml GitHub workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-333: Arbitrary code execution in osohq/oso workflow
The bench.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-332: Arbitrary code execution in a2o/snoopy workflow
The code-qa-sonarcloud.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-328: Arbitrary code execution in GoogleCloudPlatform/microservices-demo workflow
The ci-pr.yaml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-327: Arbitrary code execution in dmlc/gluon-cv workflow
The ci.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-319: Arbitrary code execution in pangeo-data/climpred workflows
The climpred_installs.yml and climpred_testing.yml GitHub workflows in multiple branches are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-316: Arbitrary code execution in indico/newdle workflow
The migration-sql.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-280: Arbitrary code execution in deislabs/akri workflows
Multiple workflows are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-275: Arbitrary code execution in LedgerHQ/ledger-live-desktop workflow
The ci.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-274: Arbitrary code execution in v8/v8.dev workflow
The pr-preview.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-257: The unsafe handling of symbolic links in an unpacking routine in oras - CVE-2021-21272
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
GitHub Security LabGHSL-2020-245: Arbitrary code execution in strimzi/strimzi-ui workflow
The node-pr-jobs-secure.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-244: Arbitrary code execution and shell command injection in nonebot/nonebot2 workflow
The api_docs.yml GitHub workflow is vulnerable to arbitrary code execution and shell command injection.
Jaroslav LobacevskiGHSL-2020-243: Arbitrary code execution in preslavmihaylov/todocheck workflow
The master.yaml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-242: Command injection in telegramdesktop/tdesktop workflow
The user_agent_updater.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-241: Arbitrary code execution and shell command injection in getsentry/sentry workflow
The acceptance.yml GitHub workflow is vulnerable to arbitrary code execution and shell command injection.
Jaroslav LobacevskiGHSL-2020-240: Command injection in scikit-learn/scikit-learn workflow
The sync_pull_request.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-239: Command injection in NVIDIA/spark-rapids workflow
The blossom-ci.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-234: Command injection in DataBiosphere/terra-workspace-manager workflow
The preview-manage.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-233: Command injection in ONSdigital workflows
The comment.yml and main.yml GitHub workflows are vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-232: Command injection in wireapp/wire-webapp workflow
The test_build_deploy.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-231: Command injection in graphql-dotnet workflows
The wipcheck.yml GitHub workflow in graphql-dotnet/graphql-dotnet, graphql-dotnet/server, graphql-dotnet/parser and graphql-dotnet/authorization repositories is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-230: Command injection in aws/aws-sam-cli worflow
The pr_title.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-229: Command injection in allenevans/set-env workflow
The release.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-206: Command and template injections in Saagie workflows
GitHub workflows in saagie/technologies, saagie/technologies-plugin and saagie/sdk repositories are vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-198: Path manipulation via Zip entry files (ZipSlip) in adm-zip
Path manipulation via Zip entry files (ZipSlip)
GitHub Security LabGHSL-2020-195: Arbitrary file write in dd-center/vdb workflow
The submit.yml GitHub workflow is vulnerable to arbitrary file write.
Jaroslav LobacevskiGHSL-2020-194: Command injection in drewmullen/actions-playground workflows
The comment.yml and output_comment.yml GitHub workflows are vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-193: Command injection in Ignitus/Ignitus-client workflow
The pr-preview.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-191: Command injection in KanCraft/kanColleWidget workflow
The contrib-notice.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-190: Command injection in fortran-lang/fortran-lang.org workflow
The gen_tweet.yaml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-189: Command injection in chocolatey-community/chocolatey-package-requests workflow
The handle-comments.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-186: Command injection in thomaseizinger/github-action-gitflow-release-workflow
The draft-new-release.yml GitHub workflow is potentially vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-185: Arbitrary code execution in Plugins Verified by Homebridge workflow
The plugin-prechecks.yml GitHub workflow is vulnerable to arbitrary code execution.
Jaroslav LobacevskiGHSL-2020-184: Command injection in bdougie/awesome-black-developers workflow
The readme.yml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-182: Code injection in JonathanGin52/JonathanGin52 workflow
The connect4.yml GitHub workflow is vulnerable to arbitrary code injection.
Jaroslav LobacevskiGHSL-2020-171: Command injection in arduino/arduino-cli workflow
The jira-issue.yaml GitHub workflow is vulnerable to arbitrary command injection.
Jaroslav LobacevskiGHSL-2020-150: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in china-live/QQConnect
QQConnect is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Jaroslav LobacevskiGHSL-2020-148: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in anjoy8/ChristDDD
ChristDDD is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Jaroslav LobacevskiGHSL-2020-147: Cross-Site Request Forgery (CSRF) in Sustainsys/Saml2
Saml2 is vulnerable to a Cross-Site Request Forgery (CSRF) that may lead per-user denial of service (DoS).
Jaroslav LobacevskiGHSL-2020-146: Arbitrary file overwrite, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in dotnet-architecture/eShopOnWeb
eShopOnWeb is vulnerable to an Arbitrary File Overwrite, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges, per-user denial of service (DoS) and Remote Code Execution (RCE).
Jaroslav LobacevskiGHSL-2020-308: ReDoS (Regular Expression Denial of Service) in TinyMCE
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-299: ReDoS (Regular Expression Denial of Service) in simple-markdown
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-294: ReDoS (Regular Expression Denial of Service) in jquery.validation - CVE-2021-21252
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-214_223: 10 CVEs in OneDev ranging from pre-auth Remote Code Execution (RCE) to Arbitrary File Read/Write
Multiple vulnerabilities were found in the OneDev project ranging from pre-auth Remote Code Execution (RCE) to Arbitrary File Read/Write
Alvaro MunozGHSL-2020-201: Prototype pollution in theia/plugin-ext
Prototype pollution in mergeContents and parseConfigurationData functions.
GitHub Security LabGHSL-2020-160: Prototype pollution in Merge-deep
Merge-deep actively attempts to prevent prototype pollution by blocking object property merges into __proto__, however it still allows for prototype pollution of Object.prototype via a constructor payload.
GitHub Security LabGHSL-2020-070: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Apache OfBiz
Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Alvaro MunozGHSL-2020-067: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Apache OfBiz
Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Alvaro MunozGHSL-2020-066: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Apache OfBiz
Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Alvaro MunozGHSL-2020-311: Regular Expression Denial of Service in SquadCal
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-309: Regular Expression Denial of Service in Fast-csv - CVE-2020-26256
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-307: Regular Expression Denial of Service in CodeMirror
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-306: Regular Expression Denial of Service in highlight.js
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-300: Regular Expression Denial of Service in markdown-to-jsx
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-298: Regular Expression Denial of Service in Metro-UI-CSS
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
GitHub Security LabGHSL-2020-262: Unsafe handling of symbolic links in go-slug unpacking routine - CVE-2020-29529
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
GitHub Security LabGHSL-2020-261: Unsafe handling of symbolic links in oc unpacking routine - CVE-2020-27833
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
GitHub Security LabGHSL-2020-256: Unsafe handling of symbolic links in dbdeployer unpacking routine - CVE-2020-26277
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
GitHub Security LabGHSL-2020-252: Unsafe handling of symbolic links in archiver unpacking routine
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
GitHub Security LabGHSL-2020-213: Server-Side Template Injection in BrowserUp Proxy - CVE-2020-26282
A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2020-330: Unauthorized repository modification or secrets exfiltration in two akka repositories
Two GitHub workflows of alpakka-kafka and akka-grpc are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-320: Unauthorized repository modification or secrets exfiltration in illright/attractions repository
A GitHub workflow of illright/attractions is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-318: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of popsim-consortium/stdpopsim
A GitHub workflow of popsim-consortium/stdpopsim is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-317: Unauthorized repository modification or secrets exfiltration in gpuweb/cts repository
A GitHub workflow of gpuweb/cts is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-315: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of rux616/karabiner-windows-mode
A GitHub workflow of rux616/karabiner-windows-mode is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-288: Unauthorized repository modification or secrets exfiltration in GitHub workflows comsuming awslabs/one-line-scan
The design and promoted usage examples of awslabs/one-line-scan makes consuming workflows vulnerable to arbitrary code execution
Jaroslav LobacevskiGHSL-2020-286: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of PureStake/moonbeam
A GitHub workflow of PureStake/moonbeam is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-285: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of cloudevents/sdk-ruby
A GitHub workflow of cloudevents/sdk-ruby is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-284: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of dazuma/toys
A GitHub workflow of dazuma/toys is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-283: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of GoogleCloudPlatform/functions-framework-ruby
A GitHub workflow of GoogleCloudPlatform/functions-framework-ruby is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-282: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of open-telemetry/opentelemetry-ruby
A GitHub workflow of open-telemetry/opentelemetry-ruby is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-281: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of tskit-dev/msprime
A GitHub workflow of tskit-dev/msprime is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-279: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of is-a-dev/register
A GitHub workflow of is-a-dev/register is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-278: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of stm32-rs/stm32-rs
A GitHub workflow of stm32-rs/stm32-rs is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-276: Unauthorized repository modification or secrets exfiltration in nuxt repositories
Two GitHub workflows of nuxt/create-nuxt-app and nuxt/modules are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-272: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of lampepfl/dotty
A GitHub workflow of lampepfl/dotty is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-271: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of openzfs/zfs
A GitHub workflow of openzfs/zfs is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Jaroslav LobacevskiGHSL-2020-249: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of aws/amazon-chime-sdk-js
A GitHub workflow of aws/amazon-chime-sdk-js is vulnerable to arbitrary code execution
Jaroslav LobacevskiGHSL-2020-248: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of rism-ch/verovio
A GitHub workflow of rism-ch/verovio is vulnerable to arbitrary code execution
Jaroslav LobacevskiGHSL-2020-247: Unauthorized repository modification or secrets exfiltration in the GitHub workflow of redwoodjs/redwood
A GitHub workflow of redwoodjs/redwood is vulnerable to arbitrary code execution
Jaroslav LobacevskiGHSL-2020-205: Remote Code Execution in Apache Struts 2 - S2-061 - CVE-2020-17530
Double evaluation of Struts tag dynamic attributes leads to Remote Code Execution
Alvaro MunozGHSL-2020-192, GHSL-2020-196: File existence disclosure in aptdeamon - CVE-2020-16128
Two vulnerabilities in aptdaemon allow an unprivileged user to probe the existence of arbitrary files on the system
Kevin BackhouseGHSL-2020-168, GHSL-2020-169, GHSL-2020-170: Integer overflows and file descriptor leak in aptd - CVE-2020-27349, CVE-2020-27350, CVE-2020-27351
Some aptd deamon packages contain several bugs which an unprivileged user can exploit to trigger a local denial of service
Kevin BackhouseGHSL-2020-212: Template injection in Cron-utils - CVE-2020-26238
A Template Injection was identified in Cron-Utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability
Alvaro MunozGHSL-2020-211: Template injection in a GitHub workflow of namin2/dependabot_jira repository
The GitHub workflow template in namin2/dependabot_jira repository is vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-210: Template injection in the GitHub workflow of hyperspacedev/starlight repository
Automatic GitHub workflow in hyperspacedev/starlight repository is vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-209: Template injection in a GitHub workflow of ww-tech/primrose repository
Automatic GitHub workflow in ww-tech/primrose repository is vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-208: Template injection in a GitHub workflow of SourcePointUSA/android-cmp-app repository
Automatic GitHub workflow in SourcePointUSA/android-cmp-app repository is vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-207: Template injection in a GitHub workflow of repository hashicorp/boundary-ui
Automatic GitHub workflow in hashicorp/boundary-ui repository is vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-204: Server-Side Template Injection in Corona Warn App Server
A Server-Side Template Injection was identified in Corona Warn App Server enabling attackers to inject arbitrary Java EL expressions, leading to un-auth Remote Code Execution (RCE) vulnerability
Alvaro MunozGHSL-2020-181: Template injection in the GitHub workflows of symless synergy-core repository
Automatic GitHub workflows in symless synergy-core repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-180: Template injection in the GitHub workflows of helm-ssm repository
Automatic GitHub workflows in helm-ssm repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-179: Template injection in the GitHub workflows of codacy-coverage-reporter-action repository
Automatic GitHub workflows in codacy-coverage-reporter-action repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-178: Template injection in the GitHub workflows of bitbucket-scala-client repository
Automatic GitHub workflows in bitbucket-scala-client repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-177: Template injection in the GitHub workflows of codacy-plint repository
Automatic GitHub workflows in codacy-pylint repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-176: Template injection in the GitHub workflows of codacy-scalameta repository
Automatic GitHub workflows in codacy-scalameta repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-175: Template injection in the GitHub workflows of codacy-analysis-cli repository
Automatic GitHub workflows in codacy-analysis-cli repository are vulnerable to arbitrary code execution from user comments
Jaroslav LobacevskiGHSL-2020-174: Template injection in the GitHub workflows of codacy-coverage-reporter repository
Automatic GitHub workflows in codacy-coverage-reporter repository are vulnerable to template injection from user comments
Jaroslav LobacevskiGHSL-2020-173: Undocumented template expression evaluation in the gajira-comment GitHub action - CVE-2020-14189
The gajira-comment GitHub action supports undocumented template syntax that may lead to arbitrary code execution
Jaroslav LobacevskiGHSL-2020-172: Undocumented template expression evaluation in the gajira-create GitHub action - CVE-2020-14188
The gajira-create GitHub action supports undocumented template syntax that may lead to arbitrary code execution
Jaroslav LobacevskiGHSL-2020-137: Unsafe deserialization in Lumisoft Mail Server
Unsafe deserialization vulnerablities may lead to pre-auth Remote Code Execution (RCE) in Lumisoft MailServer
Jaroslav LobacevskiGHSL-2020-136: Unsafe deserialization vulnerabilties in Lumisoft .NET and Lumisoft MailServer
Unsafe deserialization vulnerablities may lead to pre-auth Remote Code Execution (RCE) in Lumisoft .NET and Lumisoft MailServer
Jaroslav LobacevskiGHSL-2020-142: Heap memory corruption in png-img - CVE-2020-28248
The NAN bindings provided by png-img for libpng are vulnerable to an integer overflow which results in an underallocation of heap memory and subsequent heap memory corruption.
Bas AlbertsGHSL-2020-138, GHSL-2020-139: Remote code execution (RCE) and elevation of privileges (EoP) in SmartStoreNET - CVE-2020-27996, CVE-2020-27997
SmartStoreNET 4.0.0 is vulnerable to Remote code execution (RCE) and elevation of privileges (EoP)
Jaroslav LobacevskiGHSL-2020-202: Local Privilege Escalation (LPE) in Ubuntu gdm3 - CVE-2020-16125
gdm3 can be tricked into launching `gnome-initial-setup`, enabling an unprivileged user to create a new user account for themselves. The new account is a member of the `sudo` group, so this enables the unprivileged user to obtain admin privileges
Kevin BackhouseGHSL-2020-187: Denial of Service (DoS) in Ubuntu accountsservice - CVE-2020-16126 - CVE-2020-16127
The accountsservice daemon drops privileges to perform certain operations, but in some cases gives unprivileged users permission to send signals. This means that the unprivileged user can send accounts-daemon a `SIGSTOP` signal, which stops the process and causes a denial of service
Kevin BackhouseGHSL-2020-158: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in AspNetCoreMvcSharedLocalization
AspNetCoreMvcSharedLocalization is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-156: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in IdentityWithoutEF
IdentityWithoutEF is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-155: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in reactjs-ts-identityserver
reactjs-ts-identityserver is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-154: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in OnionArch
OnionArch is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Jaroslav LobacevskiGHSL-2020-153: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in dapper-identity
dapper-identity is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-152: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in DualAuthCore
DualAuthCore is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-151: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in little-aspnetcore-todo
little-aspnetcore-todo is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-149: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in Angular-Core-IdentityServer
Angular-Core-IdentityServer is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobacevskiGHSL-2020-141: Arbitrary code execution in DatabaseSchemaReader - CVE-2020-26207
DatabaseSchemaReader's tool DatabaseSchemaViewer is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted .dbschema file
Jaroslav LobacevskiGHSL-2020-143: Arbitrary Code Execution in FastReports - CVE-2020-27998
FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template
Jaroslav LobacevskiGHSL-2020-157: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in IdentityManager
IdentityManager is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Jaroslav LobacevskiGHSL-2020-134: NULL dereference in Samba - CVE-2020-14323
An unprivileged local user may trigger a NULL dereference bug in Samba's Winbind service leading to Denial of Service (DoS)
Bas AlbertsGHSL-2020-074, 077, 078: Memory corruptions in HPLIP - CVE-2020-6923
HPLIP contains two memory corruption vulnerabilities which can be triggered by a malicious device or computer that is connected to the same network.
Kevin BackhouseGHSL-2020-113: Command injection vulnerability in limdu - CVE-2020-4066
The `trainBatch` function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability
Kevin BackhouseGHSL-2020-097: Missing hostname validation in twitter-stream - CVE-2020-24392
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
Agustin GianniGHSL-2020-096: Missing hostname validation in tweetstream - CVE-2020-24393
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of tweetstream
Agustin GianniGHSL-2020-145: Command injection on Windows in Opener
Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.
GitHub Security LabGHSL-2020-140: Open redirect in Traefik - CVE-2020-15129
There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header.
GitHub Security LabGHSL-2020-132: SQL Injection in Mailtrain - CVE-2020-24617
SQL injection and missing CSRF protection may lead to Remote Code Execution (RCE) or arbitrary file read.
Jaroslav LobacevskiGHSL-2020-126: Open URL redirect in Orange Forum 1.x.x
There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.
GitHub Security LabGHSL-2020-133: Path traversal vulnerability in Adobe git-server - CVE-2020-9708
Malicious users may access any Git repository on the server even if it is outside the served root directory
Jaroslav LobacevskiGHSL-2020-109: Command injection in codecov
The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
GitHub Security LabGHSL-2020-095 : Monster in the middle attack in em-imap - CVE-2020-13163
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
Agustin GianniGHSL-2020-076: Server-Side Template Injection in Cascade CMS
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.
Alvaro MunozGHSL-2020-046: Server-Side Template Injection in XWiki
A user with privileges to edit wiki content may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running XWiki.
Alvaro MunozGHSL-2020-042: Server-Side Template Injection in Crafter CMS
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Crafter CMS.
Alvaro MunozGHSL-2020-086, 087, 088, 089 - Server-Side Template Injection in Apache Camel - CVE-2020-11994
Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.
Alvaro MunozGHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496
Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Alvaro MunozGHSL-2020-068: Cross-Site Scripting in Apache OfBiz - CVE-2020-9496
Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request
Alvaro MunozGHSL-2020-111: Command injection vulnerability in standard-version
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Kevin BackhouseGHSL-2020-072: Arbitrary file disclosure in JinJava - CVE-2020-12668
A user with privileges to write JinJava templates, for example in a CMS context, will be able to read arbitrary files from the file system.
Alvaro MunozGHSL-2020-071: Server-side template injection in Lithium CMS
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MunozGHSL-2020-047: Server-side template injection in dotCMS
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MunozGHSL-2020-045: Server-side template injection in Atlassian Confluence - CVE-2020-4027
A user with privileges to edit User macros may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MunozGHSL-2020-043: Server-side template injection in Liferay - CVE-2020-13445
A user with privileges to edit FreeMarker or Velocity templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MunozGHSL-2020-039: Server-side template injection in Alfresco - CVE-2020-12873
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MunozGHSL-2020-058: OOB read in Apache Guacamole prior to 1.2.0 - CVE-2020-9497
The GitHub Security Lab uncovered an OOB read vulnerability in Apache Guacamole prior to version 1.2.0 which may lead to information leak.
Nico WaismanGHSL-2020-128: OOB read vulnerability in FreeRDP RLEDECOMPRESS - CVE-2020-4033
The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's RLEDECOMPRESS function.
Antonio MoralesGHSL-2020-125: integer signedness mismatch vulnerability in FreeRDP leads to OOB read - CVE-2020-4032
The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP's update_recv_secondary_order function which leads to an OOB read vulnerability.
Antonio MoralesGHSL-2020-124: OOB read vulnerability in FreeRDP update_recv_primary_order - CVE-2020-11095
The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's update_recv_primary_order function.
Antonio MoralesGHSL-2020-107: OOB read vulnerability in FreeRDP update_read_cache_bitmap_v3_order - CVE-2020-11096
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's update_read_cache_bitmap_v3_order function.
Antonio MoralesGHSL-2020-106: integer signedness mismatch leading to OOB read in FreeRDP - CVE-2020-4030
The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP leading to OOB read.
Antonio MoralesGHSL-2020-105: OOB read vulnerability in FreeRDP glyph_cache_put - CVE-2020-11098
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's glyph_cache_put function
Antonio MoralesGHSL-2020-104: OOB read vulnerability in FreeRDP ntlm_av_pair_get - CVE-2020-11097
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's ntlm_av_pair_get function.
Antonio MoralesGHSL-2020-103: OOB read vulnerability in FreeRDP license_read_new_or_upgrade_license_packet - CVE-2020-11099
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's license_read_new_or_upgrade_license_packet function.
Antonio MoralesGHSL-2020-122: Command injection in git-diff-apply
The GitHub Security Lab team has identified a potential remote code execution in git-diff-apply.
Kevin BackhouseGHSL-2020-110: Command Injection in mversion
The GitHub Security Lab team has identified a potential remote code execution in mversion
Kevin BackhouseGHSL-2020-119: command injection vulnerability in node-dns-sync resolve method - CVE-2020-11079
The Github team has identified a command injection vulnerability in the resolve method of the node-dns-sync library.
Kevin BackhouseGHSL-2020-102: Heap overflow in FreeRDP crypto_rsa_common - CVE-2020-13398
The GitHub Security Lab team has identified a heap overflow in FreeRDP's crypto_rsa_common function.
Antonio MoralesGHSL-2020-101: NULL dereference in FreeRDP FIPS routines - CVE-2020-13397
The GitHub Security Lab team identified a NULL dereference in FreeRDP's libfreerdp.
Antonio MoralesGHSL-2020-100: Out of Bounds (OOB) read vulnerability in FreeRDP - CVE-2020-13396
The GitHub Security Lab team has identified an Out of Bounds read vulnerability in FreeRDP's ntlm_read_ChallengeMessage function.
Antonio MoralesGHSL-2020-099: mXSS vulnerability in AngularJS
The GitHub Security Lab team has found a potential mXSS vulnerabulity in AngularJS.
Alvaro MunozGHSL-2020-094: Missing SSL/TLS certificate hostname validation in em-http-request - CVE-2020-13482
The GitHub Security Lab team uncovered a missing hostname validation vulnerability in the em-http-request library that allows an attacker to perform a Person In The Middle (PITM) attack against users of the library.
Agustin GianniGHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)
The GitHub Security Lab team identified multiple memory corruption vulnerabilities in SANE Backends which may lead to Denial of Service (DoS) and Remote Code Execution (RCE).
Kevin BackhouseGHSL-2020-064: integer overflow in LibVNCClient HandleCursorShape resulting in remote heap overflow - CVE-2019-20788
The GitHub Security Lab team detected an integer overflow in LibVNCClient HandleCursorShape RFB event handler.
Bas AlbertsGHSL-2020-057: dbus file descriptor leak (DoS) - CVE-2020-12049
The GitHub Security Lab team has identified a file descriptor leak in dbus that can lead to local Denial of Service.
Kevin BackhouseGHSL-2020-073: Path traversal in Jooby - CVE-2020-7647
The GitHub Security Lab team has identified a path traversal vulnerability in Jooby that can lead to information disclosure.
Alvaro MunozGHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557
The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.
Alvaro MunozGHSL-2020-054: XSS in Apache Syncope - CVE-2020-1961
The GitHub Security Lab team has identified a XSS vulnerability in Apache Syncope.
Alvaro MunozGHSL-2020-029: Server-Side template injection in Apache Syncope (RCE) - CVE-2020-1959
The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.
Alvaro MunozGHSL-2020-020: EL expression input sanitation bypass in Hibernate Validator - CVE-2020-10693
The GitHub Security Labs team has identified an EL expression input sanitation bypass vulnerability in Hibernate Validator.
Alvaro MunozGHSL-2020-085: Open redirect vulnerability in Sourcegraph - CVE-2020-12283
By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.
Alvaro MunozGHSL-2020-051, GHSL-2020-052: Multiple vulnerabilities in NTOP nDPI
The GitHub Security Lab team has identified several potential security vulnerabilities in NTOP nDPI, including RCE and DoS.
Bas AlbertsGHSL-2020-010: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0070
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-008: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0071
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-007: Out-of-bounds write in Android Open Source Project - CVE-2020-0072
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-006: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0073
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-031: SQL injection in PureFTPd
Improper sanitization of SQL queries lead to SQL injection via a configuration file.
Antonio MoralesGHSL-2020-053: Use After Free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-041: Use After Free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-040: Use After Free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-038: Use after free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-037: Use after free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-035: Use after free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-030: Server-Side Template Injection in Dropwizard
Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).
Alvaro MunozGHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager
High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2020-014: Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks in Nexus Repository Manager
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Alvaro MunozGHSL-2020-013: Remote Code Execution - Dynamic Code Evaluation via Scripts in Nexus Repository Manager
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Alvaro MunozGHSL-2020-012: Remote Code Execution - JavaEL Injection (high privileged accounts) in Nexus Repository Manager
High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2020-009: UAF leads to RCE in ProFTPD
A use-after-free vulnerability in ProFTPD could allow a remote attacker to execute arbitrary code on the affected system.
Antonio MoralesGHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager
An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
Alvaro MunozGHSL-2020-011: Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2020-056: Double free in OpenSSL client
The GitHub Security Labs team has identified a security issue in OpenSSL in which an attacker can force a client into freeing the same memory twice.
Agustin GianniGHSL-2020-028: Server-Side Template Injection in Netflix Titus
A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2020-027: Server-Side Template Injection in Netflix Conductor
A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Alvaro MunozGHSL-2020-032: out-of-bounds (OOB) read vulnerability in PureFTPd
An out-of-bounds (OOB) read vulnerability has been detected in PureFTPd's pure_strcmp function.
Antonio MoralesGHSL-2020-026: Person in the middle attacks with lua-openssl
Several security issues have been found in the way X509 certificate validation functions are exposed to LUA. Clients using certain functions in lua-openssl are exposed to person-in-the-middle attacks.
Agustin GianniGHSL-2020-025: OOB read and DoS in PureFTPd
An uninitialized pointer vulnerability in PureFTPd results in Out-of-Bounds reads and Denial of Service.
Antonio MoralesGHSL-2020-003, GHSL-2020-004, GHSL-2020-005: Person in the middle attack on openfortivpn clients
Several security issues have been found in the way openfortivpn deals with TLS. These issues can lead to situations in which an attacker can perform a person-in-the-middle attack on clients.
Agustin GianniGHSL-2020-002: out-of-bounds (OOB) read in ProFTPD
An out-of-bounds (OOB) read vulnerability detected in mod_cap.
Antonio MoralesGHSL-2020-001: Off-by-one heap overflow in Bftpd
Under certain circumstances, an off-by-one heap overflow can occur in the command_retr function.
Antonio MoralesDisclosure policy
Last updated: November 10th, 2021
The GitHub Security Lab research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly.
If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.
Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.
We appreciate the hard work maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.
We believe that sharing a disclosure policy with maintainers is the first step to a smooth collaboration and we encourage all vulnerability reporters to do so. If our disclosure policy resonates with you feel free to copy it and use it for your own disclosures.
Please contact us at securitylab@github.com if you have any questions about our disclosure policy or our security research.